Effective Internal Controls for Employee Benefit Plans

Presentation for TVHRA

Ted Hotz, CPA (Audit Partner)

• Why Internal Controls Matter?
  • By minimizing opportunities for unintentional errors or intentional fraud (Preventative Controls)
  • By discovering small errors before they become big problems (Detective Controls)
• Where Are the Risks?
  • Fraudulent Financial Reporting
    • Non-Readily marketable investments
    • Ineffective monitoring of management
    • Deficient internal control components
    • Poor Investment results
    • Financial stability of the plan sponsor is threatened
    • Plan has invested in employer securities
  • Misappropriation of Assets
    • Lack of qualified outside service providers
    • Inadequate internal controls over assets
    • Personal financial pressures
    • Known or anticipated future layoffs
    • Recent or expected changes in benefits
  • DOL Criminal Enforcement Cases Examples
  • Establishing a Cost-Effective Control Environment
    • Participant data input and change administration
    • Processing payroll and contributions
    • Participant distributions
    • Segregation of duties
  • Monitoring Internal Controls
    • Are the controls in place and operating?
    • Is the system working as designed?
    • Are the controls and reports periodically reviewed?
    • Are identified exceptions and problems resolved?
    • Are you monitoring service organizations?
  • SOC 1 Report (System and Organization Controls Report)
    • Read the report!
    • Two service providers with qualified reports
    • Type 2 reports assess operating effectiveness
    • Review report for exceptions and carve-outs
    • Understand the complementary user entity controls
      • The service provider is expecting you to handle the user entity controls
    • Internal Controls and Your Regulators (example)
    • Internal Controls and Your Auditor (example)
    • Understanding the Severity of Internal Control Deficiencies
      • Material weakness
      • Significant deficiency
      • Control deficiency
    • Cybersecurity
      • Records management usually contracted out to third party providers
      • Review cyber-security policies of third-party service providers, including encryption
      • Conduct periodic tests to detect threats
      • Perform periodic testing of backup and recovery plans
      • Establish internal training practices to reinforce data security and incident response plans
    • How Can Your Auditor Help?
      • Participant Data testing
        • Procedures exist to promptly identify and notify eligible participants for enrollment
        • Retain enrollment applications including signed refusals
        • Management should regularly review changes made to the payroll master file
        • Determination of employee compensation under the plan
      • Payroll Processing and Contributions testing
        • Ensure adequate segregation of duties exist
        • Current payrolls are compared with previous payrolls and variances are investigated
        • Access to the payroll system is appropriately restricted
      • Participant Distributions testing
        • Signed or e-signed distribution forms are used
        • Withdrawal forms, including requests for hardship withdrawals from 401(k) arrangements, are reviewed by a responsible official.
      • Participant Loans testing
        • Loan requests are in compliance with plan document
          • Loan term (generally limited to 5 years)
          • Number of outstanding loans per participant
        • Loan repayments properly being made through payroll process
      • Income Allocations to Participant Accounts (testing)
      • Risk Assessment by Auditor
    • Auditor Selection Criteria
      • Member of AICPA Employee Benefit Plan Audit Quality Center (EBPAQC)
      • Annual specialized training in EBP auditing
      • EBP audits reviewed annually by independent expert(s)
      • Extensive experience in auditing EBP plans
    • Department of Labor Hot Topics (DOL Alerts)
      • Timeliness of contributions and loan payments
      • Reasonable and transparency of fees
      • Fiduciary responsibilities
      • Compliance with plan documents
    • IRS Top Ten Failures Found in Voluntary Correction Program
    • US Department of Labor – 10 Warning Signs That 401(k) Contributions are Being Misused
    • Resources and Links

Tickets

$19.00 Member Ticket

$25.00 Non-Member Ticket

$10.00 Member Student Ticket

$300.00 Meeting Sponsor Ticket

$10.00 Non-Member Student Ticket